Identity and access management
There are different identity requirements for AVS based on how it’s set up in Azure. AVS comes with a built-in user called cloudadmin in the new environment’s vCenter. This user has been given the CloudAdmin role, which gives them a lot of power in vCenter. It’s also possible to set up new roles in your AVS environment using the principle of least privilege:
- Active Directory Domain Services (AD DS): It is highly recommended to deploy an AD DS domain controller in your identity subscription in Azure. This will help with users’ authentication in Azure instead of this request being made back in the customer’s on-premises environment.
- Least-privilege roles: Allow only a small number of people to have the CloudAdmin role. When assigning users to AVS, use custom roles and as few permissions as possible.
- Resource-based access control: People who need to manage AVS should only have Role-Based Access Control (RBAC) permissions for the resource group where AVS is installed, and for delegated users who need to manage it.
- vSphere permissions: Only set up vSphere permissions with custom roles at the top level if you need to. It’s better to give permissions to the right VM folder or resource pool. In general, do not apply any kind of vSphere permissions at or above the level of the data center.
- Active Directory sites and services: Ensure that Active Directory sites and services are configured with the appropriate and respective client IP subnets to provide a better authentication experience when attempting to locate the nearest domain controller.
- Active Directory groups: When you set up groups in Active Directory, you can use RBAC to manage vCenter and NSX-T. You can make your own roles and assign them to Active Directory groups.
